Hardly a day passes without hearing about another major cyber incident. Recent studies show that cybersecurity incidents are becoming more common, but they are also costly, with some reports estimating an average cost of $9.44 million for breaches in the US. In recognition of this mounting problem, government agencies continue to ramp up enforcement and issue new rules, regulations and other guidance aimed at curbing cyber risks. Last week, the SEC published final rules requiring registered entities to periodically disclose material cybersecurity incidents and annually disclose their cybersecurity risk management, strategy and governance plans. In announcing the new rules, the SEC specifically noted that “an ever-increasing share of economic activity is dependent on electronic systems.” According to SEC Chair Gary Gensler, “Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors.” 

The SEC’s new rules will require registered entities to, among other things:

• Disclose on Form 8-K any cybersecurity incident the company determines to be “material” within four days of that determination. There is a narrow exception if the US Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety.

• Describe on Form 10-K the company’s processes for assessing, identifying and managing material risks from cyber threats and whether those risks have or will materially affect the company. Companies must specifically describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing these risks. 

The Form 8-K disclosures will be due beginning the later of 90 days after publication in the Federal Register, or December 15, 2023. Smaller companies may have more time before they must comply. Form 10-K disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. For more information about the SEC’s new rules, see SEC Adopts Final Public Company Cyberdisclosure Rules. 

While these new rules may make our data safer, they may also create additional risk for registered entities and their officers and directors. The four-day disclosure rule, for example, may leave companies scrambling to comply while still responding to the incident itself. Also, requiring companies to describe the board’s and management’s oversight, roles and expertise in managing cyber risks will draw even more attention to the individuals making decisions about cybersecurity processes and incidents.  Cyber and directors and officers (“D&O”) liability policies can help mitigate some of these risks. Each offers distinct, but complementary, coverages that will help protect a company in the event of a cyber incident. Before a cyber incident occurs, companies should carefully review their cyber and D&O policies to determine what claims may be covered and consider modifications to strengthen coverage, narrow exclusions and maximize changes of recovery should a claim arise. For additional guidance, including specific tips and best practices to follow when purchasing, renewing and evaluating cyber and D&O policies, please see our recent client alert.